Via Matt Franz, I came across a Response to WAF/IDS/IPS Effectiveness Report.
I found this a little odd, since NTOBJECTives seems to have produced the report to which they then respond. (I may totally misunderstand what’s going on here.) (EDIT: I did totally misunderstand; see the comments below. The report writer is not associated with NTOBJECTives at all. Apologies!)
Regardless, it made a point or two I found worth noting about bang for your buck for WAF and IDS/IPS configuration:
An organization should plan to spend 2-3.5 hours per application they plan to place behind a WAF to gain that consistent level of protection for all their applications.
The post seems to imply that they consider this a bit on the high end, and that organizations do as well:
This is significantly more time spent than the average organization spends on their production WAF installations.
I find this really problematic: not the accuracy of the statement, as I don’t have any data that contradict it. However, I have to ask whether organizations find this all that high, considering the protection you’re getting and the time invested in configuring other technologies. If you bring in a consultant to set it up, and she charges $250/hour, that comes to something on the order of $1000 per application. Having recently looked at WAF prices, I’d say that that’s really tinkering on the margins of the project cost. And anyone who’s ever managed an IDS or IPS installation knows that those technologies require far more time to configure and manage (tune) effectively.
In any case, I suspect that a really effective WAF would require more attention than that, particularly in agile shops. 2-3 hours per application per week sounds more realistic to me, meaning that most organizations will need a dedicated application security person just for the WAF, or else find a way to embed the responsibility in development organizations under the oversight of an appsec specialist (to avoid “allow all” situations).
: I refuse to get into the “security ROI” debate in this post.